Noodlophile Malware Campaign Expands with Enhanced Phishing Techniques
Summary
Hide β²
Show βΌ
The Noodlophile malware campaign has expanded its reach to target enterprises in the U.S., Europe, Baltic countries, and the Asia-Pacific region. The threat actors use spear-phishing emails disguised as copyright infringement notices to deploy the Noodlophile information stealer. The campaign employs advanced techniques, including legitimate software vulnerabilities, obfuscated staging via Telegram, and dynamic payload execution. The malware is designed to capture data from web browsers and gather system information. It is under active development to include additional capabilities such as screenshot capture, keylogging, and file encryption. The campaign has expanded to use corporate social media accounts as a pretense to target enterprises. The payloads are often delivered via Dropbox links masked by TinyURL redirects. The batch and command scripts are more heavily obfuscated and extract a URL from the description of a Telegram group, enabling dynamic execution of the payload. The final stealer is hosted on free platforms like https://paste[.]rs/Gc2BJ, complicating detection and takedown. The infostealer harvests web data, system data, credentials, credit card information, security controls, and browser support. The stealer employs self-deletion techniques to remove traces after execution, complicating detection.
Timeline
-
18.08.2025 22:24 π° 2 articles
Noodlophile Campaign Expands with Enhanced Phishing Techniques
The Noodlophile malware campaign has expanded its reach to target enterprises in the U.S., Europe, Baltic countries, and the Asia-Pacific region. The threat actors use spear-phishing emails disguised as copyright infringement notices to deploy the Noodlophile information stealer. The campaign employs advanced techniques, including legitimate software vulnerabilities, obfuscated staging via Telegram, and dynamic payload execution. The malware is designed to capture data from web browsers and gather system information. It is under active development to include additional capabilities such as screenshot capture, keylogging, and file encryption. The campaign has expanded to use corporate social media accounts as a pretense to target enterprises. The payloads are often delivered via Dropbox links masked by TinyURL redirects. The batch and command scripts are more heavily obfuscated and extract a URL from the description of a Telegram group, enabling dynamic execution of the payload. The final stealer is hosted on free platforms like https://paste[.]rs/Gc2BJ, complicating detection and takedown. The infostealer harvests web data, system data, credentials, credit card information, security controls, and browser support. The stealer employs self-deletion techniques to remove traces after execution, complicating detection.
Show sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
Information Snippets
-
The Noodlophile malware campaign has been active for over a year.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The campaign targets enterprises in the U.S., Europe, Baltic countries, and the Asia-Pacific region.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The phishing emails use copyright infringement notices as lures, tailored with reconnaissance-derived details.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The phishing emails originate from Gmail accounts to evade suspicion.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The malware is delivered via Dropbox links containing ZIP or MSI installers.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The installers sideload a malicious DLL using legitimate binaries associated with Haihaisoft PDF Reader.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
Telegram group descriptions are used as dead drop resolvers to fetch the actual server hosting the stealer payload.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The malware establishes persistence using Windows Registry.
First reported: 18.08.2025 22:24π° 1 source, 1 articleShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
-
The Noodlophile stealer captures data from web browsers and gathers system information.
First reported: 18.08.2025 22:24π° 2 sources, 2 articlesShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
- Noodlophile Stealer Hides Behind Bogus Copyright Complaints β www.darkreading.com β 18.08.2025 23:28
-
The malware is under active development to include additional capabilities such as screenshot capture, keylogging, and file encryption.
First reported: 18.08.2025 22:24π° 1 source, 1 articleShow sources
- Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures β thehackernews.com β 18.08.2025 22:24
Similar Happenings
ChillyHell macOS Backdoor Resurfaces with New Capabilities
The ChillyHell macOS backdoor malware, initially observed in 2022, has resurfaced with a new version. This modular backdoor allows attackers remote access and the ability to drop payloads, brute-force passwords, and evade detection. The malware, disguised as an executable applet, was discovered on VirusTotal and had been publicly hosted on Dropbox since 2021. The malware employs multiple persistence mechanisms and communicates over various protocols, making it highly flexible. It can exfiltrate data, drop additional payloads, and enumerate user accounts. Apple has revoked the notarization of the developer certificates associated with the malware. The resurgence of ChillyHell highlights the increasing threat landscape for macOS, emphasizing the need for robust security measures. A new Go-based remote access trojan (RAT) named ZynorRAT has been discovered, targeting Windows and Linux systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration and system enumeration.
APT41 Targets U.S. Trade Officials in Cyber Espionage Campaign
The House Select Committee on China has issued a warning about ongoing cyber espionage campaigns by China-linked APT41 targeting U.S. trade officials and related organizations. The attacks involve phishing emails impersonating U.S. officials to steal sensitive information. The campaign coincides with contentious U.S.-China trade negotiations. The threat actors exploit software and cloud services to cover their tracks. The attacks aim to steal valuable data and gain unauthorized access to systems. The committee has noted similar tactics used in previous campaigns, including a January 2025 spear-phishing attempt targeting committee staffers. The FBI is investigating the ongoing cyber espionage campaign. APT41 has been known to conduct financially motivated activities in addition to state-sponsored espionage. The group has targeted various sectors, including logistics, utilities, healthcare, high-tech, and telecommunications. The committee recommends user awareness phishing training, mandatory multifactor authentication, FIDO keys, and appropriate email gateway and endpoint security tools to mitigate such attacks.
Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns
Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to MarchβApril 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.
MostereRAT Malware Disables Security Tools, Targets Japanese Windows Users
A new malware campaign, tracked as MostereRAT, targets Japanese Windows users with sophisticated evasion techniques. MostereRAT disables antivirus and endpoint defenses, uses an obscure programming language, and abuses legitimate remote access tools to maintain persistent control over compromised systems. The malware's capabilities include privilege escalation, keylogging, data exfiltration, and the creation of hidden administrator accounts. The campaign's long-term objectives and the full extent of its impact remain unclear. MostereRAT employs Easy Programming Language (EPL) to evade detection and uses Windows Filtering Platform (WFP) filters to block security telemetry. The malware deploys legitimate remote access tools like AnyDesk, TigerVNC, and TightVNC, making it difficult to detect. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools to reduce the attack surface. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can run as TrustedInstaller, a built-in Windows system account with elevated permissions. MostereRAT can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool, facilitate RDP logins, and create hidden administrator accounts.
TAG-150 Expands Operations with CastleRAT in Python and C
The threat actor TAG-150, known for CastleLoader malware, has developed a new remote access trojan named CastleRAT. CastleRAT is available in both Python and C variants, and it is used to collect system information, execute commands, and download additional payloads. CastleRAT's development began in March 2025, and it is part of a multi-tiered infrastructure used by TAG-150. The malware is distributed through phishing attacks, fraudulent GitHub repositories, and other methods. The Python variant, also known as PyNightshade, and the C variant have different capabilities. The C variant includes keylogging, screenshot capture, file upload/download, and cryptocurrency clipper functionality. CastleRAT uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various secondary payloads, including remote access trojans, information stealers, and other loaders. TAG-150's operations have targeted critical infrastructure, including U.S. government agencies, and have been linked to a Play Ransomware attack against a French organization. The group's MaaS operation is likely promoted within closed circles, indicating a sophisticated and connected user base. TAG-150 is likely to develop and release additional malware in the near term and expand its distribution efforts.